138627-two-step-verification-removal-no-longer-needs-a-ticket
Content ---- ---- ---- ---- ---- I'm sorry, but if it's really this easy to remove the authenticator, that's not a trade-off, that a plain open security hole you are creating. Please explain what the process is for removing an authenticator. Because right now I'm assuming the worst, and if you indeed have opened a security hole like this you are going to be liable. | |} ---- ---- Right now you simply go to your account settings and remove it via automatic request, that uses your email adress for verification. So as long as your mail is secured you are ok. Once you have mail compromissed you are screwed. | |} ---- They need your email to login. Meaning if they are on that step, they already know your email, and your game password. At launch we had so many people with compromised accounts, that 2 step authentication was added. If my guess is correct, 90% of these people will use the same password for their email as they use for their game account. As a hacker, you know this as well. Know one password, you usually know every password. So by enabling this option, they pretty much compromised every account in their system. | |} ---- ---- It does not always work that easily. Social Engineering and stealing personal information is one part of obtaining an account. You might have been fortunate by not clicking dodgy links or anything. But that's not an excuse to disable security mechanism on accounts. | |} ---- ---- ---- To be able to remove an Authenticator from your account he needs to enter a code, so he needs to have access to your phone, if he doesn't have access to your phone, nobody besides you can remove the Authenticator from your account. @Edit My bad, they changed the way it works. What the hell are you doing, carbine? Edited October 8, 2015 by BakuDM | |} ---- ---- ---- This is not just a bad decision it is retard-worthy. Now 2 step is just a buff and ceases to be a security feature. How did this get by any manager or leadership in the company. This just proves Carbine fired the wrong people. Edited October 8, 2015 by Bound4Earth | |} ---- ---- ---- ---- ---- I have no problem with the fact that people don't know this stuff. Cryptography is pretty hard and mathematical. I do have a problem with companies and people trying to force their ignorance on others. | |} ---- Soooooooo. Normal login: Email+password. 2-step: Email+password+authenticator app. Remove authenticator app code requirement to get rid of authenticator, without adding any other sort of security layer: Normal login = 2-step login. Except 2-step is a slight pain in the a** every 7 days. Like a breeze hitting a sore wound. But obviously, if you just remove the authenticator when people e-mail you, no questions asked, then this step makes perfect sense, as you've already completely screwed over your own system. Which begs the question: Why don't you do what facebook and google does, that 2-step is not an app, but a sms-text code to a phone number. Most people that lose their phone retain their phone number, they've just lost the app. Meaning that they will be able to access the same phone number as before, thus keeping security intact. Or you can just keep the authenticator as it is now, and then for your removal site it will send a text code to your phone number, which is then needed to remove the authenticator on your site. Proper solutions are really, really obvious, and are proverbial low hanging fruits. Go do. | |} ---- Even simple things like "enter name of 1 character on this account" as a security question before 2-step verification is removed would make a huuuuge difference. | |} ---- ---- Yeah in most instances if you lose access to your owning e-mail account you're boned regardless of 2FA. | |} ---- As someone who does NOT have a mindset of *cupcake*ing clicking whatever bullshit there is out there, and who keeps their PC clean, I have had attempts made on my WoW account. It's not always the person's fault when their account gets compromised. | |} ---- I haven't tried the procedure myself, but going by the description they provided, they need more than to know your email to remove the authenticator. They need to access and read your incoming emails to remove the authenticator. Since my email has a different password and its own authenticator (and i hope all of yours do too), this is not compromising the wildstar 2-step authentication. | |} ---- ---- ---- That's why I don't use same e-mail account for personal/business correspondence and for games... so your point is mute. The point is that 2 step verification now serves no purpose, so they may as well just remove it. | |} ---- If you are aware enough to keep your personal/business accounts separate then I highly doubt you have same passwords for mail box and game account, having both of them compromised in that case is very very unlikly. Billing info also gets mailed to your game account. It will most likely have enough info for anyone willing to pass human checks through support and ticket. My main point is that this change is not really different compared to ticket disabling of 2-step, which is how it worked previously, yet at that time noone complained. This strikes at the balance between security and usability. I mean, secure 2 step on android phone? That alone is silly. Edited October 9, 2015 by Dennor | |} ---- ---- ---- ---- ---- IMO an automatized process such as this one would be both more effective and efficient. Is it really such a pain to input the code every 7 days, that so many people are asking to remove it? Can't really see what the issue here is (was), would be grateful if someone enlightened me. P.S.: Read it again: "If you want to unlink your authenticator but no longer have access to your mobile device and do not have the CODE (highlighted in the screenshot above) you can now unlink your authenticator without having to contact support. To do so, please follow the steps below: (...) After clicking on the link you will then be sent an email to the registered email.". Edited October 19, 2015 by Tempestive | |} ---- ---- Mainly because some people use Google authenticator because they don't own a mobile phone. | |} ---- (un?)Lucky people with fix IP addresses... i have to enter my code each day. I believe the main reason to let the support remove it is was actually lost a authenticator key (lost/new phone, pc reinstalled etc.) - everyone with a working authenticator could remove it anyway. This doesn't make any sense to me. Edited November 5, 2015 by Smiley | |} ---- ---- ---- ----